Open network services provide additional attack surface for hackers to exploit. Many security breaches are the result of attackers taking advantage of security vulnerabilities in network services such as:

Flaws in the network service and supporting application libraries (e.g. client-server or peer-to-peer software components)

These flaws can lead to the device being compromised or to Denial of Service (DoS) attacks rendering the device and/or services unavailable.

Therefore, network services unnecessary for the intended purpose or operation of that device should be removed or disabled to reduce the overall risk.

Recommendations

1. Identify When a Service is Necessary

Is there a clear University business or educational need for the network service?

Is the service generally appropriate given your role at the University?

Does the service not allow guest or anonymous access to your computer or files?

Services must also NOT:

Introduce a security risk

Interfere with other University resources or the campus network

Create an excessive burden on campus infrastructure or resources

2. Harden Operating Systems

Use a well-known security benchmark such as the CIS (Center for Internet Security) benchmarks to secure your device’s configuration. Each benchmark will have specific information about which network services can and should be disabled by default:

3. Beware of User-installed Software

Some applications install gratuitous network services that are either not required or are configured to provide network access when only local access is required. When installing a new application, perform a review after the installation to ensure unnecessary network services were not enabled.

4. Reduce Attack Surface

Just because a service is deemed necessary for University business or educational purposes doesn’t mean that it needs to be accessible to the world.

4.1 Use host-based firewall rules

Use host-based firewall rules to limit access to services, so that only authorized hosts/networks can connect to those services.

4.2 Use Remote Access VPN

If a network service must be broadly available from the Internet, first consider using the Remote Access VPN as a solution before enabling Internet access to a service:

Configure your host-based firewall to default deny connections to the network service from the Internet.